Dashboard

Keylogging and Screenshotting Module

A breakdown of the malware module used by the Famous Chollima threat actor.

The module uses "node-global-key-listener" to record keystrokes. Keystrokes are saved in a temporary file.

The module captures desktop screenshots using "screenshot-desktop". Screenshots are converted to web-friendly formats.

Keystrokes and screenshots are uploaded to the OtterCookie C2 server. The data is sent via TCP port 1478.

One instance included clipboard monitoring in the module code. This extends the functionality to stealing clipboard content.